Malware

IcedID Being Distributed Through ISO Files

  • Jul 20 2022
IcedID Being Distributed Through ISO Files

The ASEC analysis team has been introducing various types of malware that were distributed through ISO files. And the team recently discovered the distribution of IcedID (module-type banking malware) through ISO files. There were two methods to distribute the malware. The first one used the same method employed by the Bumblebee malware that was discussed in the previous post. The second method is similar to the first one but had script files and the cmd command added.

Bumblebee Being Distributed in Korea Through Email Hijacking

The first type used the same process for distribution and execution of IcedID as that of Bumblebee discussed in the previous post. It used the email hijacking technique to snatch normal emails and send replies to users with malicious file attachments (see the figure below). The file is compressed and protected with a password written in the email.

 

Inside the compressed file is an ISO file. Running the ISO file creates an lnk and a DLL file in the DVD drive, and the malicious DLL is loaded through the lnk file. The DLL is set as hidden, and the process for loading is identical to that of Bumblebee.

  • lnk command
    %windir%\system32\cmd.exe /c start rundll32.exe hertbe.dll,#1

 

 

The loaded DLL is IcedID. Similar to Emotet and Dridex, IcedID is a banking malware that performs malicious behaviors by downloading the main module. The DLL’s C2 is as follows:

  • C2
    hxxp://carismorth[.]com/

The second type includes additional files inside the ISO file besides lnk and DLL. Inside the ISO are an lnk file and two folders as shown below.

 

 

The lnk file runs the worker.cmd file inside “them” folder.

  • lnk command
    C:\them\worker.cmd

 

The worker.cmd file executed by the lnk file runs the worker.js file existing in the same folder with the argument “l32”.

 

The worker.js file combines the two strings “l32” (received as an argument) and “rundl” to ultimately load the then.dat file inside the same folder through rundll32.exe.

 

The loaded then.dat file is a DLL file (IcedID). Its C2 and packets are shown below. The second type ultimately loads a DLL using the lnk file in the same method of the first type, while going through additional steps.

  • C2
    hxxp://cootembrast[.]com/

 

There is a recent increase in the distribution of malware through ISO files. As attackers are also using a method of sending replies after snatching normal emails, users need to take caution and refrain from opening attachments. AhnLab’s anti-malware product, V3, detects and blocks the malware using the aliases below.

[File Detection]
Trojan/Win.Generic.R503676 (2022.07.10.01)
Trojan/Win.IceID.R505751 (2022.07.20.02)
Dropper/ISO.IcedID (2022.07.20.01)
Dropper/ISO.Agent (2022.07.20.02)

 

MD5

354c059e6f6a7d52046855496e9bbcff
6474da79ff6331712c6a2c5cbadc9051
88a254de852e3ba553da1af698215973
ad0436f20e1ecd7fdf9b4d147d8db2da
URL

http[:]//carismorth[.]com/

Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.

Tags:
Previous Post

Next Post